Fixed content storage within a partitioned content platform, with replication

ABSTRACT

A content platform cluster that comprises an array of nodes is logically partitioned. Using a web-based interface, an administrator defines “tenants” within the cluster, wherein a tenant has a set of attributes: namespaces, administrative accounts, data access accounts, and a permission mask. A namespace is a logical partition of the cluster that serves as a collection of objects typically associated with at least one defined application. Each namespace has a private file system with respect to other namespaces. This approach enables a user to segregate cluster data into logical partitions. Tenant information, including all associated namespaces, in the cluster (the “source cluster”) is replicated to at least one target cluster over a replication link. Preferably, replication is available for multiple tenants in the source cluster, and a replication algorithm ensures that a particular tenant can be added to the replication link without stalling the progress of other tenants.

The subject matter herein includes material that is subject tocopyright, and all such rights are reserved.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to application:

Ser. No. 11/638,252, filed Dec. 13, 2006, titled “Policy-basedmanagement of a redundant array of independent nodes;”

Ser. No. 11/675,224, filed Feb. 15, 2007, titled “Method for improvingmean time to data loss (MTDL) in a fixed content distributed datastorage;” and

Ser. No. 11/936,317, filed Nov. 7, 2007, titled “Fast primary clusterrecovery.”

BACKGROUND

Technical Field

This disclosure relates generally to techniques for highly available,reliable, and persistent data storage in a distributed computer network.

Description of the Related Art

A need has developed for the archival storage of “fixed content” in ahighly available, reliable and persistent manner that replaces orsupplements traditional tape and optical storage solutions. The term“fixed content” typically refers to any type of digital information thatis expected to be retained without change for reference or otherpurposes. Examples of such fixed content include, among many others,e-mail, documents, diagnostic images, check images, voice recordings,film and video, and the like. The traditional Redundant Array ofIndependent Nodes (RAIN) storage approach has emerged as thearchitecture of choice for creating large online archives for thestorage of such fixed content information assets. By allowing nodes tojoin and exit from a cluster as needed, RAIN architectures insulate astorage cluster from the failure of one or more nodes. By replicatingdata on multiple nodes, RAIN-type archives can automatically compensatefor node failure or removal. Typically, RAIN systems are largelydelivered as hardware appliances designed from identical componentswithin a closed system.

BRIEF SUMMARY

A content platform (or “cluster”) that comprises a redundant array ofindependent nodes is logically partitioned. Using a web-based interface,an administrator defines one or more “tenants” within the cluster,wherein a tenant has a set of attributes: namespaces, administrativeaccounts, data access accounts, and a permission mask. A namespace is alogical partition of the cluster that serves as a collection of objectstypically associated with at least one defined application. Eachnamespace has a private file system with respect to other namespaces.This approach enables a user to segregate cluster data into logicalpartitions. According to this disclosure, tenant information, includingall associated namespaces, in the cluster (the “source cluster”) isreplicated to at least one target cluster over a replication link.Preferably, replication is available for multiple tenants in the sourcecluster, and a replication algorithm ensures that a particular tenantcan be added to the replication link without stalling the progress ofreplicating data for other tenants.

The foregoing has outlined some of the more pertinent features of thedisclosed subject matter. These features should be construed to bemerely illustrative. Many other beneficial results can be attained byapplying the disclosed subject matter in a different manner or bymodifying the subject matter as will be described.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified block diagram of a fixed content storage archivein which the subject matter may be implemented;

FIG. 2 is a simplified representation of a redundant array ofindependent nodes each of which is symmetric and supports an archivecluster application according to the disclosed subject matter;

FIG. 3 is a high level representation of the various components of thearchive cluster application executing on a given node;

FIG. 4 illustrates how a cluster is partitioned according to thetechniques described herein;

FIG. 5 illustrates an Overview page of a tenant administrator console;

FIG. 6 illustrates a Namespace page of the tenant administrator console;

FIG. 7 illustrates a Create Namespace container page of the tenantadministrator console;

FIG. 8 illustrates a Namespace Overview container page for a givennamespace;

FIG. 9 illustrates a Policies container page for the given namespace bywhich the administrator can configure a given policy;

FIG. 10 illustrates how an administrator enables versioning for thenamespace;

FIG. 11 illustrates how an administrator enables a disposition servicefor the namespace;

FIG. 12 illustrates how an administrator enables a privileged deleteoption for the namespace;

FIG. 13 illustrates how an administrator enables retention classes forthe namespace;

FIG. 14 illustrates a Replication tab for the tenant;

FIG. 15 illustrates one of the Namespaces in the Replication tab showingthe graphs and statistics for the replication of that namespace;

FIG. 16 illustrates how content is replicated to one or more remotearchive sites to facilitate archival-based business continuity and/ordisaster recovery;

FIG. 17 represents how an administrator can create links betweenclusters to facilitate object level replication; and

FIG. 18 illustrates how tenant data is replicated according to thesubject matter of this disclosure.

DETAILED DESCRIPTION

It is known to provide a scalable disk-based archival storage managementsystem, preferably a system architecture based on a redundant array ofindependent nodes. The nodes may comprise different hardware and thusmay be considered “heterogeneous.” A node typically has access to one ormore storage disks, which may be actual physical storage disks, orvirtual storage disks, as in a storage area network (SAN). The archivecluster application (and, optionally, the underlying operating system onwhich that application executes) that is supported on each node may bethe same or substantially the same. In one illustrative embodiment, thesoftware stack (which may include the operating system) on each node issymmetric, whereas the hardware may be heterogeneous. Using the system,as illustrated in FIG. 1, enterprises can create permanent storage formany different types of fixed content information such as documents,e-mail, satellite images, diagnostic images, check images, voicerecordings, video, and the like, among others. These types are merelyillustrative, of course. High levels of reliability are achieved byreplicating data on independent servers, or so-called storage nodes.Preferably, each node is symmetric with its peers. Thus, becausepreferably any given node can perform all functions, the failure of anyone node has little impact on the archive's availability.

As described in U.S. Pat. No. 7,155,466, a distributed softwareapplication executed on each node captures, preserves, manages, andretrieves digital assets. In an illustrated embodiment of FIG. 2, aphysical boundary of an individual archive is referred to as a cluster.Typically, a cluster is not a single device, but rather a collection ofdevices. Devices may be homogeneous or heterogeneous. A typical deviceis a computer or machine running an operating system such as Linux.Clusters of Linux-based systems hosted on commodity hardware provide anarchive that can be scaled from a few storage node servers to many nodesthat store thousands of terabytes of data. This architecture ensuresthat storage capacity can always keep pace with an organization'sincreasing archive requirements. Preferably, data is replicated acrossthe cluster so that the archive is always protected from device failure.If a disk or node fails, the cluster automatically fails over to othernodes in the cluster that maintain replicas of the same data.

An illustrative cluster preferably comprises the following generalcategories of components: nodes 202, a pair of network switches 204,power distribution units (PDUs) 206, and uninterruptible power supplies(UPSs) 208. A node 202 typically comprises one or more commodity serversand contains a CPU (e.g., Intel x86, suitable random access memory(RAM), one or more hard drives (e.g., standard IDE/SATA, SCSI, or thelike), and two or more network interface (NIC) cards. A typical node isa 2U rack mounted unit with a 2.4 GHz chip, 512 MB RAM, and six (6) 200GB hard drives. This is not a limitation, however. The network switches204 typically comprise an internal switch 205 that enable peer-to-peercommunication between nodes, and an external switch 207 that allowsextra-cluster access to each node. Each switch requires enough ports tohandle all potential nodes in a cluster. Ethernet or GigE switches maybe used for this purpose. PDUs 206 are used to power all nodes andswitches, and the UPSs 208 are used to protect all nodes and switches.Although not meant to be limiting, typically a cluster is connectable toa network, such as the public Internet, an enterprise intranet, or otherwide area or local area network. In an illustrative embodiment, thecluster is implemented within an enterprise environment. It may bereached, for example, by navigating through a site's corporate domainname system (DNS) name server. Thus, for example, the cluster's domainmay be a new sub-domain of an existing domain. In a representativeimplementation, the sub-domain is delegated in the corporate DNS serverto the name servers in the cluster itself. End users access the clusterusing any conventional interface or access tool. Thus, for example,access to the content platform may be carried out over any protocol(REST, HTTP, FTP, NFS, AFS, SMB, a Web service, or the like), via anAPI, or through any other known or later-developed access method,service, program or tool.

Client applications access the cluster through one or more types ofexternal gateways such as standard UNIX file protocols, or HTTP APIs.The archive preferably is exposed through a virtual file system that canoptionally sit under any standard UNIX file protocol-oriented facility.These include: NFS, FTP, SMB/CIFS, or the like.

In one embodiment, the archive cluster application runs on a redundantarray of independent nodes (H-RAIN) that are networked together (e.g.,via Ethernet) as a cluster. The hardware of given nodes may beheterogeneous. For reliability, however, preferably each node runs aninstance 300 of the distributed application (which may be the sameinstance, or substantially the same instance), which is comprised ofseveral runtime components as now illustrated in FIG. 3. Thus, whilehardware may be heterogeneous, the software stack on the nodes (at leastas it relates to the present invention) is the same. These softwarecomponents comprise a gateway protocol layer 302, an access layer 304, afile transaction and administration layer 306, and a core componentslayer 308. The “layer” designation is provided for explanatory purposes,as one of ordinary skill will appreciate that the functions may becharacterized in other meaningful ways. One or more of the layers (orthe components therein) may be integrated or otherwise. Some componentsmay be shared across layers.

The gateway protocols in the gateway protocol layer 302 providetransparency to existing applications. In particular, the gatewaysprovide native file services such as NFS 310 and SMB/CIFS 312, as wellas a Web services API to build custom applications. HTTP support 314 isalso provided. The access layer 304 provides access to the archive. Inparticular, according to the invention, a Fixed Content File System(FCFS) 316 emulates a native file system to provide full access toarchive objects. FCFS gives applications direct access to the archivecontents as if they were ordinary files. Preferably, archived content isrendered in its original format, while metadata is exposed as files.FCFS 316 provides conventional views of directories and permissions androutine file-level calls, so that administrators can provisionfixed-content data in a way that is familiar to them. File access callspreferably are intercepted by a user-space daemon and routed to theappropriate core component (in layer 308), which dynamically creates theappropriate view to the calling application. FCFS calls preferably areconstrained by archive policies to facilitate autonomous archivemanagement. Thus, in one example, an administrator or application cannotdelete an archive object whose retention period (a given policy) isstill in force.

The access layer 304 preferably also includes a Web user interface (UI)318 and an SNMP gateway 320. The Web user interface 318 preferably isimplemented as an administrator console that provides interactive accessto an administration engine 322 in the file transaction andadministration layer 306. The administrative console 318 preferably is apassword-protected, Web-based GUI that provides a dynamic view of thearchive, including archive objects and individual nodes. The SNMPgateway 320 offers storage management applications easy access to theadministration engine 322, enabling them to securely monitor and controlcluster activity. The administration engine monitors cluster activity,including system and policy events. The file transaction andadministration layer 306 also includes a request manager process 324.The request manager 324 orchestrates all requests from the externalworld (through the access layer 304), as well as internal requests froma policy manager 326 in the core components layer 308.

In addition to the policy manager 326, the core components also includea metadata manager 328, and one or more instances of a storage manager330. A metadata manager 328 preferably is installed on each node.Collectively, the metadata managers in a cluster act as a distributeddatabase, managing all archive objects. On a given node, the metadatamanager 328 manages a subset of archive objects, where preferably eachobject maps between an external file (“EF,” the data that entered thearchive for storage) and a set of internal files (each an “IF”) wherethe archive data is physically located. The same metadata manager 328also manages a set of archive objects replicated from other nodes. Thus,the current state of every external file is always available to multiplemetadata managers on several nodes. In the event of node failure, themetadata managers on other nodes continue to provide access to the datapreviously managed by the failed node. This operation is described inmore detail below. The storage manager 330 provides a file system layeravailable to all other components in the distributed application.Preferably, it stores the data objects in a node's local file system.Each drive in a given node preferably has its own storage manager. Thisallows the node to remove individual drives and to optimize throughput.The storage manager 330 also provides system information, integritychecks on the data, and the ability to traverse local directorystructures.

As illustrated in FIG. 3, the cluster manages internal and externalcommunication through a communications middleware layer 332 and a DNSmanager 334. The infrastructure 332 is an efficient and reliablemessage-based middleware layer that enables communication among archivecomponents. In an illustrated embodiment, the layer supports multicastand point-to-point communications. The DNS manager 334 runs distributedname services that connect all nodes to the enterprise server.Preferably, the DNS manager (either alone or in conjunction with a DNSservice) load balances requests across all nodes to ensure maximumcluster throughput and availability.

In an illustrated embodiment, the application instance executes on abase operating system 336, such as Red Hat Linux 10.0. Thecommunications middleware is any convenient distributed communicationmechanism. Other components may include FUSE (Filesystem in USErspace),which may be used for the Fixed Content File System (FCFS) 316. The NFSgateway 310 may be implemented by Unfsd, which is a user spaceimplementation of the standard nfsd Linux Kernel NFS driver. Thedatabase in each node may be implemented, for example, by PostgreSQL(also referred to herein as Postgres), which is an object-relationaldatabase management system (ORDBMS). The node may include a Web server,such as Jetty, which is a Java HTTP server and servlet container. Ofcourse, the above mechanisms are merely illustrative.

The storage manager 330 on a given node is responsible for managing thephysical storage devices. Preferably, each storage manager instance isresponsible for a single root directory into which all files are placedaccording to its placement algorithm. Multiple storage manager instancescan be running on a node at the same time, and each usually represents adifferent physical disk in the system. The storage manager abstracts thedrive and interface technology being used from the rest of the system.When the storage manager instance is asked to write a file it generatesa full path and file name for the representation for which it will beresponsible. In a representative embodiment, each object to be stored ona storage manager is received as raw data to be stored, with the storagemanager then adding its own metadata to the file as it stores it to keeptrack of different types of information. By way of example, thismetadata includes: EF length (length of external file in bytes), IFSegment size (size of this piece of the Internal File), EF Protectionrepresentation (EF protection mode), IF protection role (representationof this internal file), EF Creation timestamp (external file timestamp),Signature (signature of the internal file at the time of the write(PUT), including a signature type) and EF Filename (external filefilename). Storing this additional metadata with the internal file dataprovides for additional levels of protection. In particular, scavengingcan create external file records in the database from the metadatastored in the internal files. Other services (sometimes referred toherein as “policies”) can validate internal file hash against theinternal file to validate that the internal file remains intact.

As noted above, internal files preferably are the “chunks” of datarepresenting a portion of the original “file” in the archive object, andpreferably they are placed on different nodes to achieve striping andprotection blocks. Typically, one external file entry is present in ametadata manager for each archive object, while there may be manyinternal file entries for each external file entry. Typically, internalfile layout depends on the system. In a given implementation, the actualphysical format of this data on disk is stored in a series of variablelength records.

The request manager 324 is responsible for executing the set ofoperations needed to perform archive actions by interacting with othercomponents within the system. The request manager supports manysimultaneous actions of different types, is able to roll-back any failedtransactions, and supports transactions that can take a long time toexecute. The request manager also ensures that read/write operations inthe archive are handled properly and guarantees all requests are in aknown state at all times. It also provides transaction control forcoordinating multiple read/write operations across nodes to satisfy agiven client request. In addition, the request manager caches metadatamanager entries for recently used files and provides buffering forsessions as well as data blocks.

A cluster's primary responsibility is to store an unlimited number offiles on disk reliably. A given node may be thought of as being“unreliable,” in the sense that it may be unreachable or otherwiseunavailable for any reason. A collection of such potentially unreliablenodes collaborate to create reliable and highly available storage.Generally, there are two types of information that need to be stored:the files themselves and the metadata about the files.

The content platform also may implement a replication scheme such asdescribed in Ser. No. 11/936,317, filed Nov. 7, 2007, the disclosure ofwhich is incorporated by reference. According to that disclosure, acluster recovery process is implemented across a set of distributedarchives, where each individual archive is a storage cluster ofpreferably symmetric nodes. Each node of a cluster typically executes aninstance of an application (as described above) that providesobject-based storage of fixed content data and associated metadata.According to the storage method, an association or “link” between afirst cluster and a second cluster is first established to facilitatereplication. The first cluster is sometimes referred to as a “primary”whereas the “second” cluster is sometimes referred to as a “replica.”Once the link is made, the first cluster's fixed content data andmetadata are then replicated from the first cluster to the secondcluster, preferably in a continuous manner. Upon a failure of the firstcluster, however, a failover operation occurs, and clients of the firstcluster are redirected to the second cluster. Upon repair or replacementof the first cluster (a “restore”), the repaired or replaced firstcluster resumes authority for servicing the clients of the firstcluster.

FIG. 16 illustrates a Primary cluster 1600 together with a three Replicaclusters 1602 (one located in Wabasha, USA, one located in Luton, UK,and one located in Kyoto, JP). Typically, clusters are located indifferent geographic locations, although this is not a limitation orrequirement. Content is replicated (through replication process) fromthe primary cluster (PC) 1600 to each replica cluster (RC) 1602 enablingbusiness continuity and disaster recovery. Thus, in the event of anoutage, client applications can failover to the replica clusterminimizing system downtime. Restore functionality (a recovery process)provides rapid re-population of a new primary cluster, which may beeither the re-built/re-stored original primary cluster, or an entirelynew primary cluster.

FIG. 17 illustrates an administration console graphical user interface(GUI) 1700 that allows creation of replication Links between clusters.As noted above, a link enables a source namespace to be replicated to aspecified target cluster. The link may be configured with one or moreoptions. Thus, a digital signature option may be selected to guaranteeauthenticity of the link. A compression option may be selected to enabledata compression across the link to minimize WAN bandwidth requirements.An encryption option may be selected to enable encryption (e.g., SSL) tobe used if the link needs to be secured, which may be the case if thelink encompasses a public network (such as the Internet). In addition, ascheduling option enables selection of when replication should takeplace, and how aggressive the replication should be. These optionspreferably are each configured by the Administrator. Preferably, archiveobjects are replicated from a primary cluster to one or more replicaclusters in a secure manner.

Preferably, replication is tracked at the object level, which includesfixed content data, metadata, and policy information (e.g., shreddingattributes, and the like). The GUI may also expose metrics that include,for example, replication progress in terms of number of objects andcapacity. Any archive may include a machine through which anAdministrator can configure an archive for replication, recovery andfail-back.

A content platform such as described above may implement a dataprotection level (DPL) scheme such as described in Ser. No. 11/675,224,filed Feb. 15, 2007, the disclosure of which is incorporated byreference.

The above is a description of a known content platform or “cluster.” Thefollowing describes how an enterprise (or other entity, such as aservice provider) can partition such a cluster and use the clusterresources more effectively as the amount of user data to be storedincreases.

Cluster Partitioning—Tenants and Namespaces

The following terminology applies to the subject matter that is nowdescribed:

Data Account (DA): an authenticated account that provides access to oneor more namespaces. The account has a separate set of CRUD (create,read, update, and delete) privileges for each namespace that it canaccess.

Namespace (NS): a logical partition of the cluster. A namespaceessentially serves as a collection of objects particular to at least onedefined application. As will be described, each namespace has a privatefilesystem with respect to other namespaces. Moreover, access to onenamespace does not grant a user access to another namespace. An archivemay have an upper bound on the number of namespaces allowed on a singlecluster (e.g., up to 100).

Authenticated Namespace (ANS): a namespace (preferably HTTP-only) thatrequires authenticated data access.

Default Namespace (dNS): a namespace for use with data that is ingestedinto the cluster in other than REST (Representational State Transfer),where REST is a lightweight protocol commonly used for exchangingstructured data and type information on the Web. Further, even if anapplication uses the REST interface, if a namespace is not specifiedduring authentication to the cluster, all data can be stored in thedefault namespace.

Tenant: a grouping of namespace(s) and possibly other subtenants.

Top-Level Tenant (TLT): a tenant which has no parent tenant, e.g. anenterprise.

Subtenant: a tenant whose parent is another tenant; e.g. theenterprise's financing department.

Default Tenant: the top-level tenant that contains only the defaultnamespace.

Cluster: a physical archive instance, such as described above.

When the cluster is freshly installed, it contains no tenants. Clusteradministrators create top-level tenants and administrative accountsassociated with those top-level tenants, as well as enable the defaulttenant and default namespace. FIG. 4 illustrates this basic concept. Asshown there, there is a cluster instance 400, such as the systemillustrated in FIGS. 2-3 and described above. As will be illustrated inmore detail below, a cluster administrator has an account 402. Anappropriate administrator is given authority to create a top leveltenant 404, and one or more namespaces for that TLT, such as firstauthenticated namespace 406 (for an engineering department) and a secondauthenticated namespace 408 (for a finance department). An appropriateadministrator also sets up administrator accounts 412 and data accounts414 for the TLT. In addition, an administrator can also enable a defaulttenant 416 having an associated default namespace 418. Although notshown, authorized administrators may also set up subtenants. Theadministrator also establishes administrative logs 420. Of course, theabove configuration is merely exemplary, as the subject matter herein isnot limited to any particular type of use case or tenant/namespaceconfiguration.

At a macro level, all namespaces can be considered as the same orsubstantially the same entities with the same qualities andcapabilities. Generally, and as will be seen, a namespace has a set ofassociated capabilities that may be enabled or disabled as determined byan appropriately credentialed administrator. A single namespace can hostone or more applications, although preferably a namespace is associatedwith just one defined application (although this is not a limitation). Anamespace typically has one or more of the following set of associatedcapabilities that a namespace administrator can choose to enable ordisable for a given data account: read (r)—includes reading files,directory listings, and exists/HEAD operations; write (w); delete (d);purge (p)—allows one to purge all versions of a file; privileged(P)—allows for privileged delete and privileged purge; and search (s).

Using namespaces, and as illustrated generally in FIG. 4, anadministrator can create multiple domains for a cluster, which domainsdiffer based upon the perspective of the user/actor. These domainsinclude, for example, the following: access application, cluster admin,TLT admin, subtenant admin, and replication. The domain of the accessapplication is a given namespace. An authorized administrator (such asadmin 402) has a view of the cluster as whole. As shown, theadministrator 402 can create a top-level tenant and perform all of theadministration for actions that have cluster scope. In certainsituations, such as enterprise deployments, the tenant may grantappropriate administrators the ability to manage the tenant, in whichcase any cluster admin also will be able to function as a TLT admin. TheTLT admin creates namespaces, data accounts and subtenants. The TLT isable to modify some configuration settings, such as namespace quotas orto enable versioning. The subtenant admin is able to create a namespaceunder a subtenant. The domain of replication is a set of TLTs defined bythe cluster administrator while configuring replication betweenclusters.

One of ordinary skill in the art will appreciate that a tenant is alogical archive as viewed by an administrator. As shown in FIG. 4, atenant may represent an organization or a department using a portion ofa cluster. A tenant may be implemented as a hierarchy in that it cancontain other tenants.

A tenant preferably has a set of attributes: namespaces, administrativeaccounts, data access accounts, permission mask, roll-up of state, name,and quotas. A tenant may contain zero or more namespaces. A tenant willhave a set of administrative accounts (such as account 412) that enableusers to monitor and update attributes of the tenant. The data accessaccounts are the set of accounts which access namespace objects. Apermission mask (r/w/d/p/P/s) is the set of permissions global to thetenant and that mask a namespace's permissions. The roll-up of state arethe metrics on all namespaces within the tenant. The name of the tenantis settable and changeable by an appropriate administrator. Tenant nameswithin the same cluster must not collide. A top level tenant preferablyis assigned a hard storage quota by the administrator. The appropriateadmin can lower or raise that quota, and he or she can assign as muchquota as desired. The TLT can also specify a soft quota, which is agiven percentage of the hard quota. A tenant is able to divide its quotaamong one or more namespaces, but the total assigned quota may notexceed that of the tenant. For accounting purposes, preferably the quotawill measure the rounded up size of an ingested file to the nearestblock size. A soft quota is typically a predetermined percentage (e.g.,85%) of a hard quota, but this value may be configurable. Once the hardquota is exceeded, no further writes are allowed, although in-progresswrites preferably are not blocked. It may be acceptable to have a delaybetween exceeding a quota and having future writes blocked. Preferably,quotas are replicated but cannot be changed. When a replica becomeswritable, the quota is enforced there as well.

A tenant administrator also has a set of roles that include one or moreof the following: a monitor role, an administrator role, a securityrole, and a compliance role. A monitor role is a read-only version of anadministrator role. The administrator role is the primary roleassociated with a tenant. As described and illustrated above, this roleallows an admin user to create namespaces under the current tenant, andit provides a view of all namespaces within this tenant (and associatedstatistics such as file counts, space available, space used, etc.). Theadministrator also can view tenant and namespace logs, and he or she canview/update tenant and namespace configuration. The security role givesa user the ability to create/modify/delete new administrative users. Auser with the security role can add and delete roles from othertenant-level administrative accounts. When the tenant is first created,preferably there is one administrative user associated with the tenant,and this user account has just the security role. The compliance roleenables privileged delete and retention class functions (as definedbelow).

A namespace is a logical archive as viewed by an application. Accordingto the subject matter herein, a particular namespace is distinct from adifferent namespace, and access to one namespace does not grant a useraccess to another namespace. Preferably, administration of a namespaceis performed at the owning tenant level. Moreover, preferably anamespace may only be deleted if a count of objects associated with thatnamespace is zero. A namespace preferably also has the followingattributes: permission mask, initial settings, other settings, displayname, quota, logs, and stats. As noted above, the permission mask(r/w/d/p/P/s) is the set of settings global to the namespace and whichmask an account's permissions. The initial settings identify a dataprotection level (DPL), a hashing scheme, and the like, that preferablyremain persistent. The other settings refer to settings (such asretention, shred, versioning, indexing, and the like) that can be set onthe namespace and then later changed. This feature is described in moredetail below. The display name is a name or other identifier for thenamespace. The quota is either hard (in GB) or soft (in percent). Thelogs attribute identifies the system events related to the namespacethat will be logged. The stats attribute identifies the statistics thatare generated from namespace-related data, such as capacity, number ofobjects, and the like.

Preferably, tenant names and namespace names are human readableidentifiers in the various administrative user interfaces (UIs).Preferably, these names also are used in hostnames to specify thenamespace of a data access request, the tenant which an administrator isadministrating, and the scope over which a search should be confined.The namespace name is useful because a tenant may have more than onenamespace associated with it. Preferably, object access over HTTP uses ahostname in the form of:

-   -   <namespace-name>.<tenant-name>.<cluster-domain-suffix>        These names comply with conventional domain name system (DNS)        standards. As noted above, tenant names on a cluster must not        collide.

The following provides additional details of a tenant administrativeuser interface (UI) and the associated functionality provided by thatinterface. Preferably, the tenant UI is implemented as a Web-based userinterface (such as the interface 318 in FIG. 3), namely, as a tenantadministrator console that provides interactive access to anadministration engine. The administrative console preferably is apassword-protected, Web-based GUI that provides a dynamic view of thearchive. Once the tenant administrator has logged into the tenantadministrator console, an overview page is provided that presents a mainnavigation menu. That menu provides access to one or more high levelfunctions (implemented as web pages) such as Overview, Namespaces, DataAccess Accounts, Services, Security and Monitoring. Several of theseinterfaces are now described in more detail.

As seen in FIG. 5, the Overview page 500 shows information about thecurrent tenant (i.e., the tenant the administrator logged into),including statistics and major event logs. Typically, the page containsthe following information, and preferably this information is noteditable: tenant name 502, a link 504 to update the tenant accountsettings, a checkbox 506 which allows any cluster administrator to alsoadminister this tenant and search over all objects in all namespacesassociated with this tenant (provided they have a search role),rolled-up information 508 such as quota (total, unallocated andallocated), namespaces (total number, objects ingested, objected indexedand objects versioned), and accounts (number of data accounts, andnumber of administer accounts), a permissions menu 510 applied tonamespaces owned by the tenant, a tenant description 512, and logs andalerts 514. As illustrated in FIG. 5, the permissions menu identifiesthe effective permissions (which are checked), and the values of thepermissions mask. Because this is the top level, all the settings areshown as inherited and as present in the tenant mask. If the userselects the edit tab, a sub-menu 516 is displayed to enable a permittedadministrator to modify the individual permissions. Preferably, theadministrator role can modify panels on this page, and the monitor andadministrator roles can view the page and panels on the page.

FIG. 6 illustrates the Namespaces page 600, which lists all namespacesdefined directly under this tenant, as well as general statistics abouteach (object count, any alerts, and quota). This page allows theadministrator to drill down for further configuration of a specificnamespace. This page is viewable by accounts with the administrator andmonitor roles. The page includes a table 602 listing the namespacesowned by the current tenant, and controls (e.g., links/buttons 604) areprovided to enable the administrator to create a namespace, view or editthe settings for a listed namespace, or view statistics for a listednamespace. The table includes columns in which statistics and otherinformation for a given namespace, such as object count 606, alerts 608and quota 610, are displayed in summary form.

By selecting the Create Namespace container title bar, the CreateNamespace container 700 expands as shown in FIG. 7 to allow a tenant toadd a new namespace for the current tenant. To create a new namespace,the user provides the following information: name 702, description 704,maximum size (the hard quota in TB, GB, MB, or the like, for the newnamespace) 706, a soft quota (may default to 85%) 708, a DPL value 710(may default to 1 for external storage, 2 for internal storage), a hashvalue 712 (may default to SHA-256), a retention mode 714 (enterprise orcompliance, defaults to enterprise), object versioning 716 (on/off,defaults to off), and search indexing 718 (on/off, default value isinherited from the tenant). Preferably, the administrator role can viewand modify this page. Once the individual parameters for the namespaceare configured, the user selects the Create Namespace button 720 tocomplete the process. In this manner, each individual namespace within atenant configuration is highly configurable as compared to any othernamespace within the tenant. This namespace-by-namespace configurabilityoption provides significant operational and management flexibility.

Referring back to FIG. 6, if the user selects any one of the identifiedNamespaces, a Namespace Overview container 800 expands as shown in FIG.8, exposing statistics about the selected namespace. These include afield 802 for the namespace name, object and usage graphs 804 (e.g., theobjects in namespace, objects indexed, usage such as bytes transferredinto namespace, file size sum, and total quota allocated), alerts 806,the permissions menu 808 (showing the permissions mask for thisnamespace), and a description 810. The monitor and administrator rolescan view this page. As also illustrated in FIG. 8, once a givenNamespace is selected for configuration, a number of container pages areexposed including a Policies tab 812, a Services tab 814, a Compliancetab 816, a Protocols tab 818, and a Monitoring tab 820. Several of theseinterfaces are now described in more detail.

If the user selects the Policies tab 812 from the Namespace Overviewcontainer 800, a Policies page is displayed from which the user can thenconfigure one or more policies for the particular namespace. In FIG. 9,the user has opened the Policies page 900 and selected a Retentionpolicy title bar, which opens up a container 902 through which theadministrator sets a retention policy. If an offset retention method 904is selected, the administrator sets maximum values (years, months anddays). If a fixed date retention method 906 is selected, the user usesthe calendar to set a date. If a special values retention method 908 isselected, the user can select from a set of options: deletion allowed,initially unspecified, indefinite and prohibited. If a retention classesmethod 910 is selected, a set of additional options are exposed, as willbe described in more detail below. Once the configuration is made, it issaved by selecting the Update Policy button 912.

Another configurable policy is versioning. FIG. 10 illustrates acontainer 1000 with a set of controls that can be used for this purpose.When the container is opened, the user can select a checkbox 1002 toenable versioning for this particular namespace. If this checkbox isselected, the user can then configure (using field 1004) how long theversions are to be kept on the primary cluster and, if replication isenabled, on any replica cluster. This policy is saved by selecting theUpdate Policy button 1006.

Returning to the description of the administrator console, if the userselects the Services tab 814 for the Namespace, one or more serviceoptions may be configured. One such service option is disposition(sometimes referred to as a “disposition service”), which enablesautomatic deletion of objects with expired retention. The dispositionservice option is enabled through a panel 1100 that includes a checkbox1102, which is selected to enable the option for the particularnamespace. The user selects the Update Services button 1104 to completethe configuration. Thus, according to the configuration option, once theconfigured retention (e.g., identified in the retention class) expires,the objects associated with that retention class (for this namespaceonly) are automatically deleted from the cluster. This operation isadvantageous as it enables the cluster to reclaim storage space. Thedisposition service, however, is on a namespace-by-namespace basis,which is highly desirable and provides increased management flexibility.

If the user selects the Compliance tab 816 for the Namespace, one ormore compliance options may be configured. In FIG. 12, the user hasselected a Privileged Delete compliance option, by which the user canidentify for deletion a particular object and provide reasons for thisdeletion. As shown, the Privileged Delete panel 1200 includes a field1202 in which the object to be deleted is identified (preferably by itsfull path), as well as a description 1204 field indicating the reasonfor deletion. By selecting the Delete This Object button 1206, theobject is then permanently deleted from the cluster. Preferably, thisfeature is only enabled for an enterprise mode of operation. ThePrivileged Delete function enables the user to remove all versions of anobject, even if the object is under retention.

Another configurable option in the Compliance tab 816 for the Namespaceis the option to configure one or more Retention Classes. A RetentionClass is a defined grouping of objects that are to be subject to thesame retention configuration. When the user navigates to the RetentionClasses tab, a set of previously-defined Retention Classes and theirvalues are displayed and can be selected for review. To add a newretention class, the user selects a title bar, which opens up thecontainer 1300 shown in FIG. 13. Using this panel, the user can identifythe new retention class name using field 1302, select the retentionmethod by menu 1304, and add a description in field 1306. The retentionmethod menu 1304 exposes the retention options (years, months, and days)previously described. The Add new retention class button 1308 is used toconfigure the new class.

If replication is enabled for the tenant, the administrator console willprovide a display of graphs and statistics, preferably on aper-namespace level. FIG. 14 illustrates a representative UI page 1400when Replication is selected from the main Services tab. The page listseach Namespace that has been configured for the tenant, such asNamespace 1402. Data in a column 1404 indicates the up-to-date status ofthe replica (meaning all objects are replicated as of this date andtime), and data in a “Day's Behind” graphic 1406 indicates how farbehind the replica is relative to the primary. When the user selects anyone of the identified Namespaces, such as 1402, a Namespace Overviewcontainer 1500 expands as shown in FIG. 15, exposing more detailedgraphs and statistics about the selected namespace. The graph 1504illustrates the data transfer rate and chart 1506 illustrates summaryhistorical data.

Data at a tenant level is replicated for tenants configured forreplication. In the event of a disaster or other issue at the primarycluster, all of the archive configuration settings can be restored forthe tenant from the replica.

FIG. 18 illustrates the basic concept of replication as applied totenants and namespaces. As illustrated, there is a primary cluster 1800and at least one replica 1802. The link 1804 has been establishedbetween the clusters. Primary cluster 1800 has two configured tenants T1and T2, and tenant T1 has two namespaces NS1 and NS2, which have beenconfigured in the manner previously described and illustrated. Tenant T2has one namespace, NS3. Cluster 1802 includes configured tenant T3,having two namespaces NS4 and NS5, as shown. According to thisdisclosure, the tenant T1 and its associated namespaces has beenreplicated over link 1804 that has been established between cluster 1800and cluster 1802. The replica is indicated in dashed form in cluster1802. The tenant T1 is read/write on cluster 1800, but read-only on thereplica cluster 1802. Preferably, replication over the link 1804 isuni-directional, and information is replicated in one direction at atime (i.e. the entire link either is replicating from source to replica,or restoring in the opposite direction). Generally, the replication linkreplicates at least some tenant information from the source cluster tothe replica cluster.

The information to be replicated includes accounts for tenants and theirassociated namespaces. In a typical implementation, the following itemsmay be selected for replication over a particular replication link: anynumber of top level directories from the default namespace, and anynumber of top level tenants. If a tenant is selected, preferably allassociated information will be replicated, namely: tenant adminaccounts, tenant data accounts, tenant admin logs, tenant configurationinformation (including their retention class definitions), allassociated namespaces and their data, and all associated namespace logs(including compliance logs), and so forth. Preferably, replicationmetrics are provided (in the UI) for both the replication link andindividual namespaces within it. One or more of these metrics may beavailable for the replication link: total bytes replicated (ever), totalbytes restored (ever), number of operations replicated (ever), number ofoperations restored (ever), current bytes per second transfer rate,current operations per second rate, current errors per second rate,greatest replication backlog time (for whichever namespace is farthestbehind), average replication backlog time (averaged across allreplicated namespaces), and smallest replication backlog time.Preferably, one or more of the following metrics are viewable for eachreplicated namespace: total bytes replicated (ever), total bytesrestored (ever), current bytes per second transfer rate, currentoperations per second rate, current errors per second rate, andreplication backlog time.

There may be one or more replication links per tenant or namespace. Aparticular cluster may have one or more outbound links (to one or morereplica clusters), and one or more inbound links (from one or morereplica clusters). If multiple links are supported, one tenant can bereplicated to different clusters, and replication links with differentcharacteristics or quality-of-service (QoS) may be implemented. In sucha multi-link implementation, a tenant can replicate its namespaces overdifferent replication links based on the link characteristics (static ordynamic).

In a typical use case, such as shown in FIG. 18, the replica tenant T1in cluster 1802 is read-only (although this is not a limitation). As aconsequence, no configuration change may be made by any tenantadministrator logged into the replica tenant, and no deletes or purgesmay be made by any data access account to any namespace associated withthe replica tenant. Likewise, while a data account (a user) with asearch privilege may log in to the search UI on the replica and issue aquery, however, the user may not do any update action, such as delete,hold, purge, privilege delete, or save the results of the query.

Preferably, there are one or more exceptions to this read-onlyrestriction for system events on the replica, and administrative anddata accounts on the replica. System events specific to the replicatedtenant and associated namespaces cause writes to administrative logs.Thus, actions such as logging into the replica tenant admin UI arelogged on the replica as a system event, and certain events (e.g.,irreparable file found) logged in a replica's namespace are also loggedin the replica's system events. Moreover, if a tenant admin fails aconsecutive login check on the replica, his or her account may bedisabled on the replica. Similarly, if a data account fails aconsecutive authentication check on the replica, the account is disabledon the replica. Because all configuration (including admin and dataaccounts) preferably is read-only on the replica, the procedure forre-enabling these accounts on the replica preferably is as follows: onthe source cluster, disable account; re-enable the account; and wait forthe account to be replicated. The update on the source is thenpropagated to the replica, and the account on the replica becomesenabled.

To allow for a new tenant to be added to the replication link withoutstalling the progress of other tenants, the following replicationalgorithm is implemented. By way of background, a replication algorithmcan be visualized as a series of loops (over time, and region)culminating in a query for all objects that changed in a certain timerange on a specific region. This approach is modified as follows: loopover each region, performing a certain amount of work, until all objectsare replicated within a requested time interval. There is no requirementthat each region (or namespace within a region) be synchronized withrespect to any lower bound of its change time. A “content collector”(such as a Tenant content collector, an AdminLog content collector) workentity is then defined. The content collector for namespaces preferablyis region-based in that it must further subdivide its work amongmultiple regions of the cluster. The flow control then works as follows:

While there are intervals left:

-   -   1. Define the current time interval:    -   2. For each content collector:        -   1. Replicate eligible content for the given time interval    -   3. If the content collector is region-based:        -   1. For each region:            -   1. For each namespace to be replicated:                -   1. Replicate eligible objects within time interval

The last step (replicating all eligible objects within the timeinterval) is done up to a “unit of work.” Because the number of objectsto replicate in a time window may be large, the amount of work done maybe limited if desired, e.g., by capping the “amount of work” done foreach namespace (e.g., the number of objects replicated, the quantity ofbytes replicated, or some other measure).

The approach described above is beneficial because it enables a tenantor namespace to be added to an existing replication link withoutinterfering with the progress of other objects on the link. Tenants andnamespaces can be replicated with varying QoS levels, as described, andreplication of an individual namespace can be paused without affectingother tenants. Further, by structuring the database appropriately, thereplication algorithm also can do fine-grained work among differentobject types. The technique enables rotation among the namespaces at afairly granular level so that replication of objects across namespacesappears uniform.

The replication techniques described herein can be expanded to includeother types of data (beyond tenant and namespace data), such asadministrative and account data, administrative logs, retention classes,database configurations and objects, and the like.

The replication logic preferably processes changes on a region-specificbasis within the cluster. The replication logic thus may query andgenerate changes for the following types of information: tenant andnamespace-specific admin logs, tenant admin accounts, tenant dataaccounts, tenant configuration, and namespace configuration. A querygathers matching records for each of these types of data.

Although not illustrated in detail, the other display panels exposeother configuration options that may be used to configure operations andfunctions on a namespace-specific basis. Thus, Protocols tab 818 enablesthe administrator to manage protocol settings, such as enabling HTTP,HTTPS, and to create white/block lists of IP addresses. The Monitoringtab 820 enables the administrator to identify or review system logmessages that are specific to the namespace, to review object status,and to illustrate privileged delete and retention class activities.

The administrator can also create and manage data access accounts frompages in the console and have these configuration settings applied toall namespaces for which the tenant is currently logged into. For eachsuch data access account, the administrator can associate the desiredaccess rights (e.g., read, write, delete, purge, search, etc.) that willbe afforded the individual.

If the namespace is authenticated, the following additional controls maybe imposed. Preferably, access to archive objects in an authenticatednamespace is carried out through HTTP and subject to valid credentials.A client must supply these credentials to the cluster, typically usingCookie and Host headers on each HTTP operation. The necessaryinformation required to map a client request to a specific data accessaccount in a namespace includes username, password, and a fullyqualified namespace name (FQNN). The FQNN identifies the namespacewithin a tenant hierarchy, and it is based on the namespace name, thetenant name, and a tenant's parent name (if any). REST access methodspreferably are used for object actions (object ingestion, objectretrieval, object existence checks, object deletion, object purge,directory listing, and directory creation), and metadata actions (setretention, set legal hold, set shred on delete, set/get/delete custommetadata, get all metadata). As is known, REST (Representational StateTransfer) is a lightweight protocol commonly used for exchangingstructured data and type information on the Web. Transport layersecurity mechanisms, such as HTTP over TLS (Transport Layer Security),may be used to secure messages between two adjacent nodes. Familiaritywith these technologies and standards is presumed.

By partitioning the UI into cluster and tenant-focused pieces, differentpeople can perform cluster and tenant management. This ensures thatprivacy between the cluster admin and tenant admin views is enforced,ensures that the tenant does not have access to hardware or otherdetails that may “break” the cluster, and protects the privacy of tenantdata.

The subject matter described herein provides numerous advantages. Usingthe namespaces approach described, an entity (such as an enterpriseoperating the archive) can more easily segregate and manage its data.The approach enables the administrator to perform cluster operations onselect subsets of the total cluster data set, as well as the ability toperform metering operations (e.g., capacity reporting) at a finergranularity. The ability to partition the cluster in the mannerdescribed provides significant operational, management andadministrative efficiencies, as the ever-increasing (e.g., petabytescale) data would be difficult to manage otherwise.

The described subject matter enables different administrators to performcluster and tenant management, and to minimize the information thatpasses between these two areas.

The subject matter is not limited to any particular type of use case. Atypical use environment is an enterprise, although the techniques may beimplemented by a storage service provider or an entity that operates astorage cloud.

The techniques described herein, wherein users associated with a tenant(such as a TLT) have access privileges created and managed as set forthabove may be extended and used in other than an archive cluster forfixed content. Thus, for example, these techniques may also beimplemented in the context of a standard virtualization approach for astorage management system.

While the above describes a particular order of operations performed bycertain embodiments of the invention, it should be understood that suchorder is exemplary, as alternative embodiments may perform theoperations in a different order, combine certain operations, overlapcertain operations, or the like. References in the specification to agiven embodiment indicate that the embodiment described may include aparticular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic.

While the present invention has been described in the context of amethod or process, the present invention also relates to apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, or it may comprise ageneral-purpose computer selectively activated or reconfigured by acomputer program stored in the computer. Such a computer program may bestored in a computer readable storage medium, such as, but is notlimited to, any type of disk including optical disks, CD-ROMs, andmagnetic-optical disks, read-only memories (ROMs), random accessmemories (RAMs), magnetic or optical cards, or any type of mediasuitable for storing electronic instructions, and each coupled to acomputer system bus.

While given components of the system have been described separately, oneof ordinary skill will appreciate that some of the functions may becombined or shared in given instructions, program sequences, codeportions, and the like.

As used herein, the word “location” is not necessarily limited to a“geographic” location. While clusters are typically separatedgeographically, this is not a requirement. A primary cluster may belocated in one data center in a city, while the replica cluster islocated in another data center in the same center. The two clusters mayalso be in different locations within a single data center.

Although the present invention has been described in the context of anarchive for “fixed content,” this is not a limitation either. Thetechniques described herein may be applied equally to storage systemsthat allow append and replace type modifications to the content.

The replication techniques described herein may be extended. Thus, forexample, the techniques may be used in the context of network attachedstorage (NAS) for the purpose of replicating key information from NASvirtual servers or application containers to the content platform. Thiswould allow one NAS system to read the information from another NASsystem to enable reconstitution of NAS system configuration data. Thisapproach can also be extended to the objects and files sent to thecontent platform from the NAS system components.

Having described the invention, what we now claim is as follows.

The invention claimed is:
 1. A method operative in a first storagesystem including a first processor and a first storage device storing aprogram executed by the first processor, a second storage system,including a second processor and a second storage device, that iscoupled to the first storage system, the method comprising: managing aplurality of tenants, which are logical partitions of the first storagesystem, each of the tenants is associated with a plurality ofnamespaces; enabling replication of a first tenant of the plurality oftenants in the first storage system; and replicating informationregarding the first tenant and a plurality of first namespacesassociated with the first tenant to the second storage system.
 2. Amethod according to claim 1, further comprising: replicating to thesecond storage system an administrative account that enables users tomanage a configuration of the first tenant.
 3. A method according toclaim 1, further comprising: replicating log information of theplurality of namespaces associated with the first tenant.
 4. A methodaccording to claim 3, wherein the log information includes compliancelog information.
 5. A method according to claim 1, further comprising:providing the information regarding the first tenant in the secondstorage system as a read-only tenant to a client.
 6. A method accordingto claim 1, further comprising: in the second storage system,prohibiting deletion of one or more of the plurality of replicatednamespaces associated with the first tenant or changing a configurationof the first tenant.
 7. A method according to claim 1, furthercomprising: configuring a link between the first storage system and thesecond storage system to facilitate the replicating step.
 8. A methodaccording to claim 1, wherein the first storage system is a primarystorage system and the second storage system is a replica storagesystem.
 9. A system, comprising: one or more first nodes that configurea first cluster and each include a first processor, and a first storagedevice storing a program executed by the first processor; and one ormore second nodes that configure a second cluster and each include asecond processor, and a second storage device storing a program executedby the second processor; wherein the program, when executed by the firstprocessor, causes the first processor to: manage a plurality of tenants,which are logical partitions of the first cluster, each of the tenantsis associated with a plurality of namespaces, enable replication for afirst tenant in the plurality of tenants in the first cluster, andreplicate information regarding the first tenant and a plurality offirst namespaces associated with the first tenant to the second cluster.10. The system according to claim 9, wherein the first cluster isconfigured to replicate to the second cluster an administrative accountthat enables users to manage a configuration of the first tenant. 11.The system according to claim 9, wherein the first cluster is configuredto replicate log information of the plurality of namespaces associatedwith the first tenant.
 12. The system according to claim 11, wherein thelog information includes compliance log information.
 13. The systemaccording to claim 9, wherein the second cluster is configured toprovide the information regarding the first tenant in the second clusteras a read-only tenant to a client.
 14. The system according to claim 9,wherein the second cluster is configured to prohibit deletion of one ormore of the plurality of replicated namespaces associated with the firsttenant or changing a configuration of the first tenant.
 15. The systemaccording to claim 9, wherein the first cluster and the second clusterare configured to set a link between the first cluster and the secondcluster to enable the replication of the information regarding the firsttenant and the plurality of the first namespaces associated with thefirst tenant from the first cluster to the second cluster.
 16. Thesystem according to claim 9, wherein the first cluster is a primarycluster and the second cluster is a replica cluster.
 17. A first system,which is coupled to a second system, comprising: a first processor; anda first memory storing a program executed by the first processor,wherein execution of the program causes the first processor to: manage aplurality of tenants which are logical partitions of the first system,each of the tenants is associated with a plurality of namespaces; enablereplication for a first tenant in the plurality of tenants in the firstsystem, and replicate information regarding the first tenant and aplurality of first namespaces associated with the first tenant to thesecond system.
 18. The system according to claim 17, wherein the firstcluster is configured to replicate to the second cluster anadministrative account that enables users to manage a configuration ofthe first tenant.
 19. The system according to claim 17, wherein thefirst cluster is configured to replicate log information of theplurality of namespaces associated with the first tenant.
 20. The systemaccording to claim 19, wherein the log information includes compliancelog information.
 21. The system according to claim 17, wherein thesecond cluster is configured to provide the information regarding thefirst tenant in the second cluster as a read-only tenant to a client.22. The system according to claim 17, wherein the second cluster isconfigured to prohibit deletion of one or more of the plurality ofreplicated namespaces associated with the first tenant or changing aconfiguration of the first tenant.
 23. The system according to claim 17,wherein the first cluster and the second cluster are configured to set alink between the first cluster and the second cluster to enable thereplication of the information regarding the first tenant and theplurality of the first namespaces associated with the first tenant fromthe first cluster to the second cluster.
 24. The system according toclaim 17, wherein the first cluster is a primary cluster and the secondcluster is a replica cluster.